[SCM] WebKit Debian packaging branch, debian/unstable, updated. debian/1.2.3-2-36-g0136662
Michael Gilbert
michael.s.gilbert at gmail.com
Wed Sep 8 00:06:48 UTC 2010
The following commit has been merged in the debian/unstable branch:
commit da1cd7ef4e75839c1e114bb0372d2ef485e56382
Author: Michael Gilbert <michael.s.gilbert at gmail.com>
Date: Mon Sep 6 21:49:09 2010 -0400
fix cve-2010-2646
diff --git a/debian/changelog b/debian/changelog
index 948b561..9094c21 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+webkit (1.2.4-2) unstable; urgency=high
+
+ * fix cve-2010-2646: security origin bypass using IFRAME elements.
+
+ -- Michael Gilbert <michael.s.gilbert at gmail.com> Mon, 06 Sep 2010 21:36:40 -0400
+
webkit (1.2.4-1) unstable; urgency=high
* New stable release
diff --git a/debian/patches/cve-2010-2646.patch b/debian/patches/cve-2010-2646.patch
new file mode 100644
index 0000000..7badbde
--- /dev/null
+++ b/debian/patches/cve-2010-2646.patch
@@ -0,0 +1,96 @@
+description: fix cve-2010-2646
+author: Michael Gilbert <michael.s.gilbert at gmail.com>
+origin: http://trac.webkit.org/changeset/58873
+Index: webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/storage/StorageEventDispatcher.cpp 2010-09-06 21:44:18.000000000 -0400
++++ webkit-1.2.4/WebCore/storage/StorageEventDispatcher.cpp 2010-09-06 21:48:13.000000000 -0400
+@@ -54,8 +54,12 @@
+ frames.append(frame);
+ }
+
+- for (unsigned i = 0; i < frames.size(); ++i)
+- frames[i]->document()->enqueueStorageEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), frames[i]->domWindow()->sessionStorage()));
++ for (unsigned i = 0; i < frames.size(); ++i) {
++ ExceptionCode ec = 0;
++ Storage* storage = frames[i]->domWindow()->sessionStorage(ec);
++ if (!ec)
++ frames[i]->document()->enqueueEvent(StorageEvent::create(eventNames().storageEvent, key, oldValue, newValue, sourceFrame->document()->url(), storage));
++ }
+ } else {
+ // Send events to every page.
+ const HashSet<Page*>& pages = page->group().pages();
+Index: webkit-1.2.4/WebCore/page/DOMWindow.h
+===================================================================
+--- webkit-1.2.4.orig/WebCore/page/DOMWindow.h 2010-09-06 21:44:18.000000000 -0400
++++ webkit-1.2.4/WebCore/page/DOMWindow.h 2010-09-06 21:47:06.000000000 -0400
+@@ -206,7 +206,7 @@
+
+ #if ENABLE(DOM_STORAGE)
+ // HTML 5 key/value storage
+- Storage* sessionStorage() const;
++ Storage* sessionStorage(ExceptionCode&) const;
+ Storage* localStorage(ExceptionCode&) const;
+ #endif
+
+Index: webkit-1.2.4/WebCore/page/DOMWindow.cpp
+===================================================================
+--- webkit-1.2.4.orig/WebCore/page/DOMWindow.cpp 2010-09-06 21:44:18.000000000 -0400
++++ webkit-1.2.4/WebCore/page/DOMWindow.cpp 2010-09-06 21:47:06.000000000 -0400
+@@ -567,7 +567,7 @@
+ }
+
+ #if ENABLE(DOM_STORAGE)
+-Storage* DOMWindow::sessionStorage() const
++Storage* DOMWindow::sessionStorage(ExceptionCode& ec) const
+ {
+ if (m_sessionStorage)
+ return m_sessionStorage.get();
+@@ -576,6 +576,11 @@
+ if (!document)
+ return 0;
+
++ if (!document->securityOrigin()->canAccessLocalStorage()) {
++ ec = SECURITY_ERR;
++ return 0;
++ }
++
+ Page* page = document->page();
+ if (!page)
+ return 0;
+@@ -593,16 +598,16 @@
+ {
+ if (m_localStorage)
+ return m_localStorage.get();
+-
++
+ Document* document = this->document();
+ if (!document)
+ return 0;
+-
++
+ if (!document->securityOrigin()->canAccessLocalStorage()) {
+ ec = SECURITY_ERR;
+ return 0;
+ }
+-
++
+ Page* page = document->page();
+ if (!page)
+ return 0;
+Index: webkit-1.2.4/WebCore/page/SecurityOrigin.h
+===================================================================
+--- webkit-1.2.4.orig/WebCore/page/SecurityOrigin.h 2010-09-06 21:44:18.000000000 -0400
++++ webkit-1.2.4/WebCore/page/SecurityOrigin.h 2010-09-06 21:47:06.000000000 -0400
+@@ -120,6 +120,11 @@
+ bool canAccessLocalStorage() const { return !isUnique(); }
+ bool canAccessCookies() const { return !isUnique(); }
+
++ // Technically, we should always allow access to sessionStorage, but we
++ // currently don't handle creating a sessionStorage area for unique
++ // origins.
++ bool canAccessSessionStorage() const { return !isUnique(); }
++
+ bool isSecureTransitionTo(const KURL&) const;
+
+ // The local SecurityOrigin is the most privileged SecurityOrigin.
diff --git a/debian/patches/series b/debian/patches/series
index 05cfdf1..12314ef 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,2 +1,3 @@
02-pool-fixup-and-sparc-support.patch
04-spoof-user-agent-to-google.patch
+cve-2010-2646.patch
--
WebKit Debian packaging
More information about the Pkg-webkit-commits
mailing list